A sophisticated spear phishing campaign has been identified, distributing the VIP keylogger through email attachments. The malware is delivered via a ZIP file containing a malicious executable disguised as a PDF. Once executed, an AutoIt script drops two encrypted files, which are then decrypted and injected into RegSvcs.exe using process hollowing techniques. The VIP keylogger is designed to steal sensitive information by logging keystrokes, capturing credentials from popular web browsers, and monitoring clipboard activity. The campaign employs obfuscation techniques and maintains persistence through a VBS script in the Startup folder. The final payload exfiltrates data through SMTP and communicates with a command and control server. Author: AlienVault
Related Tags:
process hollowing
exfiltration
data theft
Obfuscation
persistence
spear phishing
autoit
AlienVault OTX
AlienVault
Associated Indicators:
F0AD3189FE9076DDD632D304E6BEE9E8
51.38.247.67